Methods and apparatus for provisioning devices with secrets

ABSTRACT

A method for provisioning a mobile device with a secret to be used as a basis for generating One-Time passwords includes receiving a first request using a first communications method. The first request includes a mobile device identifier. The method also includes sending a credential message using a second communications method. The credential message includes an authentication credential. The method also includes receiving a second request using a third communications method different from the second communications method. The second request includes information based upon the authentication credential sent by the provisioning service. The method also includes sending the secret if the authentication credential in the credential message corresponds to the information based upon the authentication credential in the second request.

FIELD OF THE INVENTION

The present invention relates generally to provisioning devices withsecrets. The secrets may be used as a basis for generating One-TimePasswords. More particularly, the present invention relates to methodsand apparatus for authenticating devices and provisioning theauthenticated devices with secrets.

BACKGROUND

A common step in deciding whether to grant a request for access to dataor services in a network is to authenticate the requesting user.Authentication is the process of establishing or confirming one or morecharacteristics associated with a user or a request. For example,authentication may include confirming a user's identify or confirmingthat a request is generated by a particular device. In computernetworks, authentication commonly involves the use of passwords.Knowledge of a password is assumed to warrant that the user isauthentic. Typically, a user is initially assigned or selects apassword, and upon each subsequent use the user must provide thepassword. A password is considered a first authentication factor becauseit is something the user knows that presumptively no one else knows.

Since passwords are vulnerable to hackers, security can be improved byadding a second authentication factor. Second authentication factorsgenerally include something the user has (as opposed to something theuser knows). Second authentication factors preferably includecredentials that can be generated systematically and verifiedefficiently. Common sources of second authentication factors includesmart cards, tokens, and other similar security devices that may bereferred to generally as security tokens.

A security token can include one or more secrets that may be shared withan authentication service. The token can use the secret as the basis forgenerating credentials such as One-Time Passwords (OTPs). An OTP can bea number or alphanumeric string that is generated once and is notreused. The token can generate an OTP and the user can send the OTP toan authentication service. The authentication service generates an OTPusing its copy of the secret. The user is authenticated if the OTPdetermined by the authentication service matches the OTP provided by theuser.

Secrets can be stored in numerous different types of devices and used asthe basis for generating OTPs. As examples, secrets may be stored inpersonal computers, notebook computers, cell phones, and other devices.One challenge faced by authentication services is how to provide secretsto these types of devices in a secure and user friendly manner. Usersprefer provisioning methods that are user friendly, while authenticationservices require provisioning methods that are secure. Unlike securitytokens, that are typically provisioned with a secret during manufacture,these devices are usually not provisioned with a secret until afterpurchase by a user. There is a tradeoff between security and usabilitywhen using conventional methods of provisioning devices. Secure methodsare generally not user friendly, and user friendly methods are generallynot secure. This is because secure methods typically require multiplelevels of user input for authentication, while user friendly methodsrequire little or no user input for authentication. Authentication toacquire a secret generally requires confirmation that the request isassociated with a particular device. For example, a mobile device suchas a cell phone may be required to provide information that confirms itgenerated a request for a secret.

Thus, there is a general need in the art for improved methods andapparatus for provisioning devices with secrets.

SUMMARY

Embodiments of the present invention provide secure and user friendlymethods and apparatus for provisioning devices with secrets. Merely byway of example, some embodiments provide methods that includetwo-channel authentication to ensure that the device requesting thesecret is the device receiving the secret. Some embodiments also provideuser friendly methods that require minimal user input. Because themethods are user friendly, it is more likely that users will acquire anduse secrets to enable two-factor authentication.

In accordance with an embodiment of the invention, a method forprovisioning a mobile device with a secret to be used as a basis forgenerating One-Time Passwords includes sending, from the mobile deviceto the provisioning service, a first request for the secret using acommunications method other than Short Message Service. The firstrequest may include a mobile device identifier comprising a telephonenumber, a Mobile Identification Number, or an Electronic IdentificationNumber of the mobile device. The method also includes receiving, fromthe provisioning service at the mobile device, a Short Message Servicemessage containing authentication credentials. The authenticationcredentials may include a nonce and the mobile device identifier. Themethod also includes sending, from the mobile device to the provisioningservice, a second request for the secret using a communications methodother than Short Message Service. The second request may include thenonce received from the provisioning service and the mobile deviceidentifier. The mobile device is authenticated if the nonce and themobile device identifier sent in the Short Message Service message fromthe provisioning service correspond to the nonce and the mobile deviceidentifier received from the mobile device in the second request. If themobile device is authenticated, the secret that is used as the basis forgenerating One-Time Passwords is sent from the provisioning service tothe mobile device over a communications method other than Short MessageService. The communications method can use an encrypted connection suchas HTTP over SSL or TLS.

In accordance with another embodiment of the invention, a method forprovisioning a mobile device with a secret to be used as a basis forgenerating One-Time Passwords includes sending, from the mobile deviceto a provisioning service, a first request for the secret using a firstcommunications method. The first request may include a mobile deviceidentifier. The method also includes receiving, from the provisioningservice at the mobile device, a credential message using a secondcommunications method. The credential message may include anauthentication credential. The method also includes sending, from themobile device to the provisioning service, a second request using athird communications method different from the second communicationsmethod. The second request may include information based upon theauthentication credential received from the provisioning service. Themethod also includes receiving, from the provisioning service at themobile device, the secret if the information based upon theauthentication credential in the second request corresponds to theauthentication credential in the credential message.

In accordance with another embodiment of the invention, a method forprovisioning a mobile device with a secret to be used as a basis forgenerating One-Time Passwords includes receiving, from the mobile deviceat the provisioning service, a first request using a firstcommunications method. The first request may include a mobile deviceidentifier. The method also includes sending, from the provisioningservice to the mobile device, a credential message using a secondcommunications method. The credential message may include anauthentication credential. The method also includes receiving, from themobile device at the provisioning service, a second request using athird communications method different from the second communicationsmethod. The second request may include information based upon theauthentication credential sent by the provisioning service. The methodalso includes sending, from the provisioning service to the mobiledevice, the secret if the authentication credential in the credentialmessage corresponds to the information based upon the authenticationcredential in the second request.

In accordance with yet another embodiment of the invention, an apparatusconfigured to provision mobile devices with secrets includes a firstreceiving mechanism configured to receive from a mobile device a firstrequest using a first communications method. The first request mayinclude a mobile device identifier. The apparatus also includes a firstsending mechanism configured to send to the mobile device a credentialmessage using a second communications method. The credential message maycontain an authentication credential. The apparatus also includes asecond receiving mechanism configured to receive from the mobile devicea second request using a communications method other than the secondcommunications method. The second request may include information basedupon the authentication credential. The apparatus also includes a secondsending mechanism configured to send to the mobile device a secret ifthe authentication credential in the credential message corresponds tothe information in the second request.

Numerous benefits are achieved using the present invention overconventional techniques. Some embodiments of the present inventionprovide secure methods of provisioning a device with a secret. Forexample, one embodiment includes a multi-step request process. Inresponse to a first request, and out-of-band communications method canbe used to send an authentication credential to a requesting device. Theout-of-band communications method can be used to ensure theauthentication credential is sent to the device associated with aparticular mobile device identifier, while the authentication credentialcan be used to authenticate the device during a second request for thesecret. Other embodiments of the present invention provide user friendlymethods of provisioning a device with a secret. For example, in responseto a request for a secret, one embodiment includes sending a message tothe device that includes a uniform resource locator (URL). As explainedmore fully below, the URL can be used to confirm that the message wasreceived by the device with minimal user input.

Depending upon the embodiment, one or more of these benefits may exist.These and other benefits are described throughout the specification andmore particularly below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified diagram of an exemplary system for provisioningmobile devices with secrets according to an embodiment of the presentinvention;

FIG. 2 is a simplified flowchart illustrating an exemplary method ofobtaining a secret from a provisioning service according to anembodiment of the present invention;

FIG. 3 is a simplified flowchart illustrating an exemplary method ofobtaining a secret from a provisioning service according to anotherembodiment of the present invention;

FIG. 4 is a simplified flowchart illustrating an exemplary method ofobtaining a secret from a provisioning service according to anotherembodiment of the present invention;

FIG. 5 is a simplified flowchart illustrating an exemplary method ofprovisioning a mobile device with a secret according to an embodiment ofthe present invention;

FIG. 6 is a simplified flowchart illustrating an exemplary method ofprovisioning a mobile device with a secret according to anotherembodiment of the present invention;

FIG. 7 is a simplified flowchart illustrating an exemplary method ofprovisioning a mobile device with a secret according to anotherembodiment of the present invention; and

FIG. 8 is a simplified diagram of an exemplary apparatus forprovisioning a mobile device with a secret according to an embodiment ofthe present invention.

DETAILED DESCRIPTION

Embodiments of the present invention provide secure and user friendlymethods of provisioning devices with secrets that may be used as thebasis for generating One-Time Passwords (OTPs). Some embodiments includesecure methods that utilize multi-step request processes, includetwo-channel authentication, associate authentication credentials withparticular mobile device identifiers, and/or encrypt authenticationcredentials and secrets prior to sending. Other embodiments provide userfriendly methods that utilize uniform resource locators (URLs) tominimize user input.

FIG. 1 is a simplified diagram of an exemplary system for provisioningmobile devices with secrets according to an embodiment of the presentinvention. The system illustrated in FIG. 1 includes a mobile device 102and a provisioning service 104. The mobile device 102 and theprovisioning service 104 are communicatively coupled via acommunications link 106.

The mobile device 102 may include a cellular phone such as a smartphone,a handheld device such as a person digital assistance, a mobilecomputing device such as a laptop or notebook computer, or similardevices. The mobile device 102 may include typical software and hardwarecomponents as would be understood by one of ordinary skill in the art.For example, the mobile device 102 may include a visual display withmeans for user input in accordance with known techniques.

In an embodiment the mobile device 102 includes a memory and a centralprocessing unit (CPU). The memory may be configured to store theinformation and instructions that can be executed by the CPU to performat least part of the methods in accordance with embodiments of thepresent invention. As an example, the memory may include provisioningsoftware with instructions for sending requests for secrets toprovisioning service 104 and for receiving secrets from provisioningservice 104. The memory may also include a software application withinstructions for generating OTPs using the secret. The memory is notlimited and may include magnetic storage media, optical storage media,flash memory, and the like. Similarly, the CPU is not limited and can bea general purpose microprocessor configured to execute instructions oran application specific integrated circuit (ASIC) that embodies at leasta part of the instructions in software, firmware and/or hardware. One ofordinary skill in the art would recognize many variations,modifications, and alternatives.

The provisioning service 104 typically includes one or more computersand/or servers capable of communicating with the mobile device 102 andconfigured to carry out the steps described below to provision themobile device with a secret. The computer(s) and/or server(s) mayinclude typical hardware and software configurations as would beunderstood by one of ordinary skill in the art.

In an embodiment, each of the computer(s) and/or server(s) may include amemory and one or more CPUs. The memory may be configured to store theinformation and instructions that can be executed by the CPU(s) toperform at least part of the methods in accordance with embodiments ofthe present invention. As an example, the memory may includeprovisioning software with instructions for receiving and responding toa request for a secret from the mobile device 102. The memory may belocal or remote and may include magnetic storage media, optical storagemedia, flash memory, and the like. Similarly, the CPU(s) is not limitedand can be a general purpose microprocessor configured to executeinstructions and/or an ASIC that embodies at least a part of theinstructions in software, firmware and/or hardware. One of ordinaryskill in the art would recognize many variations, modifications, andalternatives.

Although specific aspects and features of the mobile device 102 and theprovisioning service 104 have been described, one of ordinary skill inthe art will appreciate that a mobile device and a provisioning servicesuitable for use with methods and systems consistent with the presentinvention may contain additional and/or different hardware and software.Thus, the mobile device 102 and the provisioning service 104 are notlimited to the exemplary aspects and features described above.

The mobile device 102 and the provisioning service 104 are configured tocommunicate using communications link 106. The communications link 106preferably utilizes both a radio network, such as a cellular network,and a computer network, such as the Internet, for communications. Thecommunications link 106, however, is not limited to these particularcommunications technologies. One of ordinary skill in the art willrecognize that various aspects of the invention may be practicedutilizing these and other communications technologies in accordance withknown techniques.

FIG. 2 is a simplified flowchart illustrating an exemplary method ofobtaining a secret from a provisioning service according to anembodiment of the present invention. The method is explained withreference to the exemplary system illustrated in FIG. 1. The methodincludes sending a first request for the secret using a firstcommunications method (202). The first request may be sent from themobile device 102 to the provisioning service 104.

In one embodiment the first request is generated and sent automaticallyduring installation or as part of an initialization step of aprovisioning application that may be embodied in software and stored inmemory of the mobile device 102. As an example, a provisioningapplication may include instructions to check that the mobile device 102includes a secret. The provisioning application may also includeinstructions to generate and send a first request for a secret to theprovisioning service 104 if the mobile device 102 does not include asecret.

The first request is sent via the communications link 106 using a firstcommunications method. Communications methods that may be used inaccordance with embodiments of the present invention include, forexample, voice connections over a cellular network, Short MessageService (SMS) messages over a cellular network, data transfer over acomputer network using a file transfer protocol such as a hypertexttransfer protocol (HTTP), email messages over a computer network, andthe like. It will be appreciated by one of ordinary skill in the artthat the methods of the present invention are not limited to theseparticular communications methods and may be practiced using anycommunications methods. Further, secure communications methods may beused in accordance with known techniques. For example, data transferover a computer network may utilize transport layer security (TLS) orsecure sockets layer (SSL).

The first request may include a mobile device identifier associated withthe mobile device 102 making the request. A mobile device identifier mayinclude a telephone number, a mobile identification number, and/or anelectronic identification number associated with the mobile device 102.Alternatively, the mobile device identifier may include any identifierassociated with a particular mobile device.

The exemplary method illustrated in FIG. 2 also includes receiving acredential message using a second communications method (204). Thecredential message may be sent from the provisioning service 104 to themobile device 102 in response to the first request.

The credential message is received via the communications link 106 usinga second communications method. In an embodiment, the secondcommunications method is different from the first communications method.For example, the first communications method may include an HTTPrequest, and the second communications method includes an SMS message.In this example, the second communications method that includes an SMSmessage may be considered to be an out-of-band communications methodbecause it is different from the first communications method thatincludes an HTTP request. One of ordinary skill in the art willappreciate that an out-of-band communications method can be used toimprove security.

The credential message may include an authentication credential such asone or more nonces and/or the mobile device identifier sent with thefirst request. Alternatively, the mobile device identifier may bedifferent from but based on the mobile device identifier included withthe first request. The nonce(s) may be a code, such as an alphanumericcode, that is generated by the provisioning service 104 and associatedwith the mobile device identifier. In an embodiment, the authenticationcredential is encrypted by the provisioning service 104 using knownencryption techniques and, after being received by the mobile device102, the authentication credential is decrypted using known decryptiontechniques. In another embodiment, only the nonce(s) is encrypted anddecrypted. The credential message may also include a digital signature.

The exemplary method illustrated in FIG. 2 also includes sending asecond request using a third communications method that is differentfrom the second communications method (206). The second request may besent from the mobile device 102 to the provisioning service 104. Thesecond request is sent via communications link 106. In an embodiment,the second communications method includes an SMS message and the thirdcommunications method includes an HTTP request over an encryptedconnection such as SSL or TLS. The second request may include theauthentication credential, or information based upon the authenticationcredential, that was received in step 204.

The exemplary method illustrated in FIG. 2 also includes receiving thesecret if the authentication credential sent with the second request, orthe information based upon the authentication credential, corresponds tothe authentication credential in the credential message. The secret maybe sent from the provisioning service 104 to the mobile device 102. Thesecret is received via communications link 106. In an embodiment, thesecret is sent using a communications method that is different from thesecond communications method. The secret may be stored in memory of themobile device using known tamper-resistant measures to protect thesecret from unauthorized disclosure.

In an embodiment, the secret is encrypted by the provisioning service104 using known encryption techniques, and after being received by themobile device 102, the secret is decrypted using known decryptiontechniques. A cryptographic key may also be also sent from theprovisioning service 104 to the mobile device 102 that can be used fordecryption of the encrypted secret upon authentication of the mobiledevice 102. The encryption key may also be derived from theauthentication credential along with some coded key in the application.

The method illustrated in FIG. 2 is secure because, for example, itincludes a multi-step request processes that includes a first request instep 202 and a second request in step 206. In an embodiment, the firstrequest initiates the provisioning process, while the authenticationcredentials provided with the second request authenticate the mobiledevice. The method can also include two-channel authentication, with anout-of-band communications method used to send the credential message instep 204. The method can also use known encryption techniques whensending the authentication credentials and/or the secret.

FIG. 3 is a simplified flowchart illustrating an exemplary method ofobtaining a secret from a provisioning service according to anotherembodiment of the present invention. The method includes sending a firstrequest for the secret (302). The first request may be sent from themobile device 102 to the provisioning service 104. Step 302 may besimilar to step 202 described above, and may include sending a mobiledevice identifier with the first request.

The method also includes receiving a credential message that includes aURL (304). The credential message may be sent from the provisioningservice 104 to the mobile device 102 in response to the first request.In one embodiment, the credential message includes an SMS message with aURL that is associated with an authentication credential included in thecredential message. The authentication credential may include one ormore nonces and/or the mobile device identifier sent with the firstrequest. All or a portion of the authentication credential may beencrypted as explained previously. In an embodiment, a second message issent from the provisioning service 104 to the mobile device 102 using anHTTP request with instructions to check for the SMS message.

The method also includes sending the authentication credential using anHTTP request associated with the URL (306). The authenticationcredential may be sent from the mobile device 102 to the provisioningservice 104. In an embodiment, the URL links back to the provisioningservice 104 to confirm that the credential message was received by themobile device 102. For example, a user selecting or clicking the URL mayopen a browser window that links back to the provisioning service 104.This allows a user to confirm that the credential message was receivedby the mobile device 102 by simply selecting or clicking the URL. All ora portion of the authentication credential may be encrypted as explainedpreviously.

The method also includes receiving a prompt to send a second request(308). The prompt may be sent from the provisioning service 104 to themobile device 102 if the authentication credential received by theprovisioning service 104 in step 306 corresponds to the authenticationcredential in the credential message.

The method also includes sending a second request (310) and receivingthe secret (312). The second request may be sent from the mobile device102 to the provisioning service 104. The second request may include theauthentication credential received in step 304 or the mobile deviceidentifier sent with the first request in step 302. The secret may besent from the provisioning service 104 to the mobile device 102 in step312 if the authentication credential corresponds to the authenticationcredential sent with the credential message. The secret may be encryptedas explained previously.

In an embodiment, the provisioning service 104 may define a period oftime during which the second request in step 310 is expected. As anexample, in one embodiment the period of time is one minute. The periodof time may begin when the authentication credential is received in step306 or when the prompt is sent in step 308. If the second request is notreceived during the period of time, the secret is not sent to the mobiledevice 104 in step 312. Restricting the second request to a particularperiod of time can provide additional security to the provisioningprocess.

The exemplary method illustrated in FIG. 3 provides a secure and userfriendly method of obtaining a secret from a provisioning service. As anexample, a provisioning application can include instructions to send thefirst and second requests (steps 302, 310) after a simple click of abutton by a user. As explained previously, the provisioning applicationcan be embodied in software and stored in memory of the mobile device102. The provisioning application can also include instructions to sendthe HTTP request (step 306) after a user selects or clicks the URL.Thus, a secure provisioning method is provided that requires minimaluser input or interaction.

FIG. 4 is a simplified flowchart illustrating an exemplary method ofobtaining a secret from a provisioning service according to anotherembodiment of the present invention. The method includes sending a firstrequest for the secret (402). The first request may be sent from themobile device 102 to the provisioning service 104. Step 402 may besimilar to steps 202, 302 described above, and may include sending amobile device identifier with the first request.

The method also includes receiving a credential message that includes anauthentication credential (404). The credential message may be sent fromthe provisioning service 104 to the mobile device 102 in response to thefirst request. In one embodiment, the credential message includes an SMSmessage with a URL that is associated with the authenticationcredential. The authentication credential may include one or more noncesand/or the mobile device identifier sent with the first request. All ora portion of the authentication credential may be encrypted as explainedpreviously. In an embodiment, a second message is sent from theprovisioning service 104 to the mobile device 102 using an HTTP requestwith instructions to check for the SMS message.

The method also includes sending the authentication credential using anHTTP request (406). The authentication credential may be sent from themobile device 102 to the provisioning service 104. In an embodiment, thecredential message in step 404 includes a URL that links back to theprovisioning service 104 to confirm that the credential message wasreceived by the mobile device 102. This allows a user to send theauthentication credential by simply selecting or clicking the URL. Allor a portion of the authentication credential may be encrypted asexplained previously.

The method also includes receiving an HTTP response that includes aredirect to a URL associated with a provisioning application (408). Theresponse may be sent from the provisioning service 104 to the mobiledevice 102 in response to receiving the HTTP request in step 406. In anembodiment, the URL provides the authentication credential, orinformation based on the authentication credential, to the provisioningapplication via a browser interface. As explained previously, theprovisioning application may be embodied in software and stored inmemory of the mobile device 102. The authentication credential orinformation based on the authentication credential may be encrypted asexplained previously.

The method also includes sending a second request that is generatedusing the provisioning application (410). The second request may be sentfrom the mobile device 102 to the provisioning service 104. The secondrequest may include the authentication credential or information basedon the authentication credential. Encryption techniques may be used asexplained previously.

In an embodiment, a provisioning application may include instructions tosend the second request to the provisioning service 104 withoutrequiring any user input. For example, the second request may be sentafter receiving the HTTP response in step 408. Alternatively, theprovisioning application may include instructions to send the secondrequest after receiving instructions from a user. For example, a usermay select a “Get Secret” button that is associated with theprovisioning application and is visible to the user on a visual displayof the mobile device 102.

The method also includes receiving the secret (412). The secret may besent from the provisioning service 104 to the mobile device 102 if theauthentication credential, or information based on the authenticationcredential, sent in step 410 corresponds to the authenticationcredential in the credential message. The secret may be encrypted asexplained previously.

The exemplary method illustrated in FIG. 4 provides a secure and userfriendly method of obtaining a secret from a provisioning service. As anexample, a provisioning application can include instructions to send thefirst and second requests (steps 402, 410) after a simple click of abutton by a user. Additionally, the provisioning application can includeinstructions to automatically send the second request after receivingthe HTTP response in step 408. Thus, a secure provisioning method isprovided that requires minimal user input or interaction.

The exemplary methods illustrated in FIGS. 2-4 are generally providedfrom a perspective of the mobile device 102. Similar methods areillustrated in FIGS. 5-7, respectively, that are generally provided froma perspective of the provisioning service 104. Thus, features explainedabove with regard to FIGS. 2-4 also apply to FIGS. 5-7.

FIG. 5 is a simplified flowchart illustrating an exemplary method ofprovisioning a mobile device with a secret according to an embodiment ofthe present invention. The method illustrated in FIG. 5 includesreceiving a first request using a first communications medium (502). Thefirst request may be sent from the mobile device 102 to the provisioningservice 104. The first request is sent via the communications link 106using a first communications method. The first request may include amobile device identifier associated with the mobile device 102. In anembodiment, the provisioning service 104 generates one or more noncesand associates the nonce(s) with the mobile device identifier.

The method also includes sending a credential message using a secondcommunications method (504). The credential message may include anauthentication credential such as the nonce(s) and the mobile deviceidentifier. The credential message may be sent from the provisioningservice 104 to the mobile device 102. The credential message is sent viathe communications link 106 using a second communications method.Similar to step 204 above, the second communications method may bedifferent from the first communications method.

The method also includes receiving a second request using a thirdcommunications method that is different from the second communicationsmethod (506). The second request may be sent from the mobile device 102to the provisioning service 104. The second request may include theauthentication credential, or information based upon the authenticationcredential, that was sent in step 504.

The method also includes sending the secret if the authenticationcredentials sent with the second request correspond to theauthentication credentials in the credential message (508). The secretmay be sent from the provisioning service 104 to the mobile device 102.

FIG. 6 is a simplified flowchart illustrating an exemplary method ofprovisioning a mobile device with a secret according to anotherembodiment of the present invention. The method includes receiving afirst request for the secret (602). The first request may be sent fromthe mobile device 102 to the provisioning service 104. Step 602 may besimilar to step 502 described above, and may include sending a mobiledevice identifier with the first request.

The method also includes sending a credential message that includes aURL (604). The credential message may be sent from the provisioningservice 104 to the mobile device 102 in response to the first request.In one embodiment, the credential message includes an SMS message with aURL that is associated with an authentication credential included in thecredential message.

The method also includes receiving the authentication credential that issent using an HTTP request associated with the URL (606). Theauthentication credential may be sent from the mobile device 102 to theprovisioning service 104. In an embodiment, the URL links back to theprovisioning service 104 to confirm that the credential message wasreceived by the mobile device 102.

The method also includes sending a prompt to send a second request(608). The prompt may be sent from the provisioning service 104 to themobile device 102 if the authentication credential received by theprovisioning service 104 in step 606 corresponds to the authenticationcredential that was sent by the provisioning service 104 in step 604.

The method also includes receiving a second request (610) and sendingthe secret (612). The second request may be sent from the mobile device102 to the provisioning service 104. The secret may be sent from theprovisioning service 104 to the mobile device 102 in step 312 if theauthentication credential corresponds to the authentication credentialsent with the credential message.

FIG. 7 is a simplified flowchart illustrating an exemplary method ofprovisioning a mobile device with a secret according to anotherembodiment of the present invention. The method includes receiving afirst request for the secret (702). The first request may be sent fromthe mobile device 102 to the provisioning service 104. Step 702 may besimilar to steps 502, 602 described above, and may include sending amobile device identifier with the first request.

The method also includes sending a credential message that includes anauthentication credential (704). The credential message may be sent fromthe provisioning service 104 to the mobile device 102 in response to thefirst request.

The method also includes receiving the authentication credential thatwas sent using an HTTP request (706). The authentication credential maybe sent from the mobile device 102 to the provisioning service 104. Inan embodiment, the credential message sent in step 704 includes a URLthat links back to the provisioning service 104 to confirm that thecredential message was received by the mobile device 102.

The method also includes sending an HTTP response that includes aredirect to a URL associated with a provisioning application (708). Theresponse may be sent from the provisioning service 104 to the mobiledevice 102 in response to receiving the authentication credential thatwas sent using an HTTP request in step 706.

The method also includes receiving a second request that is generatedusing the provisioning application (710). The second request may be sentfrom the mobile device 102 to the provisioning service 104.

The method also includes sending the secret (712). The secret may besent from the provisioning service 104 to the mobile device 102 if theauthentication credential, or information based on the authenticationcredential, received in step 710 corresponds to the authenticationcredential sent with the credential message.

FIG. 8 is a simplified diagram of an exemplary apparatus forprovisioning a mobile device with a secret according to an embodiment ofthe present invention. The apparatus may be configured to implement thefeatures of the provisioning service 104 described above. The apparatusincludes a first receiving mechanism 802. The first receiving mechanism802 may be configured to receiving a first request from the mobiledevice 102 using a first communications medium.

The apparatus also includes a first sending mechanism 804. The firstsending mechanism 804 may be configured to send a credential message tothe mobile device 102 using a second communications method. The secondcommunications method may be different from the first communicationsmethod. In an embodiment, the first sending mechanism 804 may beconfigured to send an SMS message that includes a URL associated with anauthentication credential.

The apparatus also includes a second receiving mechanism 806. The secondreceiving mechanism 806 may be configured to receive a second requestfrom the mobile device 102 using a third communications method that isdifferent from the second communications method.

The apparatus also includes a second sending mechanism 808. The secondsending mechanism 808 may be configured to send the secret to the mobiledevice 102 if the authentication credentials sent by the first sendingmechanism correspond to authentication credentials received by thesecond receiving mechanism with the second request.

While the present invention has been described in terms of specificembodiments, it should be apparent to those skilled in the art that thescope of the invention is not limited to the embodiments describedherein. For example, it is to be understood that the features of one ormore embodiments of this invention may be combined with one or morefeatures of other embodiments of the invention without departing fromthe scope of the invention. Also, the examples and embodiments describedherein are for illustrative purposes only, and various modifications orchanges in light thereof will be evident to persons skilled in the artand are to be included within the spirit and purview of this applicationand the scope of the appended claims.

1. A method for provisioning a mobile device with a secret to be used asa basis for generating One-Time Passwords, where a provisioning serviceuses an out-of-band communications method to send a credential to themobile device, and the mobile device then uses the credential toauthenticate itself to the provisioning service over an in-bandcommunications method, the method comprising: sending from the mobiledevice to the provisioning service a first request for the secret usinga communications method other than Short Message Service, wherein thefirst request includes a mobile device identifier comprising at leastone of a telephone number, a mobile identification number, or anelectronic identification number of the mobile device; receiving fromthe provisioning service at the mobile device a Short Message Servicemessage containing authentication credentials, wherein theauthentication credentials include a nonce and the mobile deviceidentifier; sending from the mobile device to the provisioning service asecond request for the secret using a communications method other thanShort Message Service, wherein the second request includes the noncereceived from the provisioning service and the mobile device identifier;if the nonce and the mobile device identifier sent in the Short MessageService message from the provisioning service to the mobile devicecorrespond to the nonce and the mobile device identifier received fromthe mobile device in the second request, then authenticating the mobiledevice; and if the mobile device is authenticated, then sending from theprovisioning service to the mobile device over a communications methodother than Short Message Service the secret to be used as the basis forgenerating One-Time Passwords at the mobile device.
 2. A method forprovisioning a mobile device with a secret to be used as a basis forgenerating One-Time passwords, the method comprising: sending from themobile device to a provisioning service a first request for the secretusing a first communications method, where the first request includes amobile device identifier; receiving from the provisioning service at themobile device a credential message using a second communications method,where the credential message includes an authentication credential;sending from the mobile device to the provisioning service a secondrequest using a third communications method different from the secondcommunications method, where the second request includes informationbased upon the authentication credential received from the provisioningservice; and receiving from the provisioning service at the mobiledevice the secret if the information based upon the authenticationcredential in the second request corresponds to the authenticationcredential in the credential message.
 3. The method of claim 2 whereinthe mobile device identifier includes at least one of a telephonenumber, a mobile identification number, or an electronic identificationnumber of the mobile device.
 4. The method of claim 2 furthercomprising: sending the authentication credential from the mobile deviceto the provisioning service; and thereafter receiving from theprovisioning service at the mobile device a prompt to send the secondrequest.
 5. The method of claim 4 wherein the credential messageincludes a uniform resource locator (URL), and wherein sending theauthentication credential includes sending a hypertext transfer protocol(HTTP) request associated with the URL.
 6. The method of claim 2 furthercomprising: receiving from the provisioning service at the mobile devicea prompt associated with the credential message using a communicationsmethod other than the second communications method.
 7. The method ofclaim 2 further comprising: sending from the mobile device to theprovisioning service the authentication credential using a hypertexttransfer protocol (HTTP) request; and receiving from the provisioningservice at the mobile device an HTTP response, the HTTP responseincluding a redirect to a uniform resource locator (URL) associated witha provisioning application, wherein the second request is generatedusing the provisioning application.
 8. The method of claim 2 wherein thefirst communications method includes a hypertext transfer protocol(HTTP) request and the second communications method includes ShortMessage Service message.
 9. The method of claim 2 further comprisinggenerating a One-Time Password based upon the secret.
 10. A method forprovisioning a mobile device with a secret to be used as a basis forgenerating One-Time passwords, the method comprising: receiving from themobile device at the provisioning service a first request using a firstcommunications method, where the first request includes a mobile deviceidentifier; sending from the provisioning service to the mobile device acredential message using a second communications method, where thecredential message includes an authentication credential; receiving fromthe mobile device at the provisioning service a second request using athird communications method different from the second communicationsmethod, where the second request includes information based upon theauthentication credential sent by the provisioning service; and sendingfrom the provisioning service to the mobile device the secret if theauthentication credential in the credential message corresponds to theinformation based upon the authentication credential in the secondrequest.
 11. The method of claim 10 wherein the mobile device identifierincludes at least one of a telephone number, a mobile identificationnumber, or an electronic identification number of the mobile device. 12.The method of claim 10 wherein the first communications method isdifferent from the second communications method.
 13. The method of claim10 wherein the authentication credential comprises a nonce and themobile device identifier.
 14. The method of claim 10 further comprising:receiving from the mobile device at the provisioning service theauthentication credential; and thereafter sending from the provisioningservice to the mobile device a prompt to send the second request. 15.The method of claim 14 wherein the credential message includes a uniformresource locator (URL), and wherein receiving the authenticationcredential includes receiving a hypertext transfer protocol (HTTP)request associated with the URL.
 16. The method of claim 10 furthercomprising: sending from the provisioning service to the mobile device aprompt associated with the credential message using a communicationsmethod other than the second communications method.
 17. The method ofclaim 10 further comprising: receiving from the mobile device at theprovisioning service the authentication credential using a hypertexttransfer protocol (HTTP) request; and sending from the provisioningservice to the mobile device an HTTP response, the HTTP responseincluding a redirect to a uniform resource locator (URL) associated witha provisioning application, wherein the second request is generatedusing the provisioning application.
 18. The method of claim 10 whereinthe first communications method includes a hypertext transfer protocol(HTTP) request and the second communications method includes a ShortMessage Service message.
 19. The method of claim 10 wherein theauthentication credential includes a digital signature.
 20. The methodof claim 10 wherein the second communications method includes a ShortMessage Service message.
 21. The method of claim 10 wherein the secretincludes a cryptographic key.
 22. The method of claim 10 wherein theauthentication credential sent from the provisioning service to themobile device is encrypted.
 23. An apparatus configured to provisionmobile devices with secrets, comprising: a first receiving mechanismconfigured to receive from a mobile device a first request using a firstcommunications method, where the first request includes a mobile deviceidentifier; a first sending mechanism configured to send to the mobiledevice a credential message using a second communications method, wherethe credential message contains an authentication credential; a secondreceiving mechanism configured to receive from the mobile device asecond request using a communications method other than the secondcommunications method, where the second request includes informationbased upon the authentication credential; and a second sending mechanismconfigured to send to the mobile device a secret if the authenticationcredential in the credential message corresponds to the information inthe second request.